Target IP: 192.168.156.202
Challenge Description: Don't spin your tires too long.
There are two TCP ports open on the target machine, as shown above.
Performing an aggressive port scan against the open ports returns the result above. I will start enumeration with the HTTP application on port 80.
Port 80: HTTP
The webpage above is displayed for this web application.
The login.php displays the webpage above. I tested this application for SQL injection, but I had no luck. I also tested default credentials such as admin:admin and admin:root, but I had no luck either.
I registered a new account with the username test and the password as test.
The webpage still looks the same; however, I am unable to access the Employees Portal as the error message Access Denied is displayed to me. This web application does not allow normal users to access the Employees Portal.
I notice there is an employee email info@wheels.service. I assume this email is already used by the web application. Therefore, I registered a new account with the email tester@wheels.service and logged in as this user. And now I can access the Employee Portal, as shown above. The dropdown button has two buttons: Car and Bike.
Selecting the dropdown to Car and pressing Search displays some sort of database records, as shown above.
I intercepted the POST request using Burpsuite and changed the parameter work to ', as shown above. This gave me the error message SimpleXMLElement::xpath(): Invalid expression in <b>/var/www/html/portal.php, as shown in the right-side of the response in the image above. It seems like the web application is vulnerable to Xpath Injection attack. This attack is similar to SQL injection.
Using the guide from here, I managed to find a working payload. The payload I used is ')] | //password%00, which is responsible for outputting the contents of password table using null injection. Now I have the passwords of the different users from this table, as shown above. I can grab the usernames using the Car and Bike services method.
Using the six different usernames and passwords, I created the combinations as shown above. Now I have a possible of thirty-six different credentials I can spray against the SSH application running on the target machine. I saved these credentials in a file called combinations on my machine.
I ran the command hydra -C combinations ssh://192.168.156.202 -t 4 against the target machine and got a hit, as shown above. The credentials bob:Iamrockinginmyroom1212 is working against the SSH application on port 22.
And now I have a foothold on the target machine as the user bob with SSH, as shown above.
Running find / -perm -u=s -type f 2>/dev/null shows an unusual entry /opt/get-list, as shown above.
I experimented with the binary opt-getlist and tested a few different ways to exploit it. And bingo. It looks like there is a command injection problem. The program seems to print the contents of the passed input after customers or employees is entered. I passed the /etc/shadow and obtained the password hash of root. Before I did this, I obtained the /etc/passwd first and was successful. I tried to obtain the /.ssh/id_rsa of user root, but I had no luck.
I copied the password hash $6$Hk74of.if9klVVcS$EwLAljc7.DOnqZqVOTC0dTa0bRd2ZzyapjBnEN8tgDGrR9ceWViHVtu6gSR.L/WTG398zZCqQiX7DP/1db3MF0 of the user root on my machine. Then I ran john on it. After a while, I obtained the password highschoolmusical of the user root as shown above.
Then I switched to the user root using the password highschoolmusical. Now I have a root shell on the target machine.
The local.txt flag is shown above.
The proof.txt flag is shown above.